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(54) Secure wireless local area network 

(57) The secure wireless local area network of the 
present invention includes a single wired network that 
supports both wired and wireless devices. The network 
addresses security concerns by including an authenti- 
cation server that services a plurality of access points. 
Each access point includes a first authentication device 
that generates and transmits a first authentication mes- 
sage to the corresponding wireless device over an air 
channel. The first authentication message includes 
encrypted validating information about the access point 
including an access point key that uniquely identifies the 
access point. Each wireless device includes a second 
authentication device. The wireless device receives the 
first authentication message and determines whether 
the access point is authorized to connect to the wired 
network. If the access point is valid, the second authen- 
tication device responds to the first authentication mes- 



sage by generating and transmitting a second 
authentication message to the access point. The sec- 
ond authentication message includes encrypted validat- 
ing information about the wireless device and operator, 
e.g., a device key and the operator's logon name and 
password. The access point determines the authenticity 
of the wireless device by decrypting the portion of the 
second authentication message that includes the 
device key. If the wireless device Is valid, the AP opens 
a control channel with the authentication server. The AP 
transmits the first and second authentication messages 
to the authentication server, if the authentication server 
validates the access point and the operator's logon 
name and password, it will authorize access to the 
wired network. 
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Description 

Field of the invention 

[0001 ] This invention relates to a wireless local area s 
network and, more particularly, to a secure wireless 
local area network. 

Description of the Prior Art 

[0002] A wireless local area network (LAN) is a flex- 
ible data communications system implemented as an 
extension to or as an alternative for a wired LAN. Using 
radio frequency (RF) technology, wireless LANs trans- 
mit and receive data over the air, minimizing the need 
for wired connections. Thus, wireless LANs combine 
data connectivity with operator mobility. 
[0003J Wireless LANs have gained strong popular- 
ity in a number of vertical markets, including the health- 
care industry, retail, manufacture, warehousing, and 
academia, These industries have profited from the pro- 
ductivity gains of using hand-held terminals, personal 
digital assistants (PDAs), notebook computers, and the 
like to transmit real-time information to centralized hosts 
for processing. Today, wireless LANs are becoming 
more widely recognized as a general-purpose connec- 
tivity alternative for a broad range of business custom- 
ers. With wireless LANs, operators can access shared 
information without looking for a place to plug in. Wire- 
less LANs offer a variety of productivity, convenience, 
and cost advantages over traditional wired networks 
including mobility, installation speed, simplicity, and flex- 
ibility, reduced cost of ownership, and scalability. Wire- 
less LANs frequently augment rather than replace wired 
LAN networks —often providing the final few meters of 
connectivity between a wired network and the mobile 
operator. 

[0004] Wireless LANs use electromagnetic air- 
waves (radio or infrared) to communicate information 
from one point to another without relying on any physi- 
cal connection. Radio waves are often referred to as 
radio carriers because they simply perform the function 
of delivering energy to a remote receiver. The data 
being transmitted is superimposed on the radio carrier 
so that it can be accurately extracted at the receiving 
end. This is generally referred to as modulation of the 
carrier by the information being transmitted. Once data 
is superimposed (modulated) onto the radio carrier, the 
radio signal occupies more than a single frequency 
since the frequency or bit rate of the modulating infor- 
mation adds to the carrier. To extract data, a radio 
receiver tunes in one radio frequency while rejecting all 
other frequencies. 

[0005] Rg. 1 is a block diagram of a conventional 
network 10 including a wired LAN 12 and a wireless 
LAN 14. The wired LAN 1 2 is often set up as an Intranet. 
An Intranet is a network designed for information 
processing within a company or organization. An 



Intranet is so called because it usually employs Web 
pages for information dissemination and applications 
associated with the Internet, such as Web browsers. It 
can also include file transfer protocol (FTP) sites, e- 
maii, and newsgroups and mailing lists accessible only 
to those within the organization. 
[0006] A typical wired LAN 1 2 includes a plurality of 
wired devices 16A-D, e.g., desktop personal computers 
(PCs), connected to the same or different sub-networks 
(subnets) 18, 20, and 22 terminating at a router (not 
shown). The wired devices 16A-D are physically con- 
nected to each other through cabling (not shown) on the 
wired LAN 12. For example, PCs 16A and 16B are con- 
nected to subnet 18 while PCs 16C and 16D are con- 
nected to subnet 20. Subnets 18 and 20 are coupled to 
each other and to inner firewall router 24 via subnet 22. 
The inner and outer firewall routers 24 and 28 provide 
an authorization mechanism that assures only specified 
operators or applications can gain access to the wired 
LAN 12. The inner firewall router 24 links the wired LAN 
12 to remote users seeking access through the wireless 
LAN 14 and the Internet 30. The outer firewall 28 limits 
access to the Virtual Private Network (VPN) server 26 
by remote users seeking access through the Internet 
30. 

[0007] A typical wireless LAN 14 includes at least 
one access point (AP), the physical cabling (not shown) 
that connects one AP to another, and at least one wire- 
less device, like devices 34A-C. Common examples of 
wireless devices 34A-C are hand-held terminals, PDAs, 
notebook computers, and the like. Other wired and wire- 
less devices are well known to those of skill in the art. 
An AP, like APs 32A-B, is a transmitter/receiver (trans- 
ceiver) device that connects to the wireless LAN 1 4 from 
a fixed location. At a minimum, the AP receives, buffers, 
and transmits data between the wireless devices 34A-C 
and the wireless LAN 14 through an air communications 
channel. A single AP can support a single wireless 
device —e.g., AP 32A supports wireless device 34 A— 
or a small group of wireless devices —e.g., AP 32B sup- 
ports wireless devices 34B and 34C— . The APs can 
function within a range of less than one hundred to sev- 
eral hundred feet. The AP includes an antenna that is 
usually mounted high but may be mounted essentially 
anywhere that is practical so long as the desired radio 
coverage is obtained. 

[0008] The inner firewall router 24 is coupled to the 
VPN tunnel server 26 and the outer firewall router 28. 
The VPN server 26 encrypts messages to and from the 
wired LAN 12 and may provide secondary authentica- 
tion for remote users. The VPN server 26 uses the Inter- 
net 30 to economically connect remote users such as 
those in branch offices and remote project teams to the 
wired LAN 12. The VPN server 26 also acts as a gate- 
way between operators of the wireless LAN 14 and the 
wired LAN 12. The VPN server 26 views access to the 
wired LAN 12 by the operators of the wireless devices 
34A-C the same as remote access by remote users. 
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enabling a data channel between the wireless 
device and other devices on the wired LAN 
after validating the access point and the opera- 
tor. 

5 

9. The method of claim 8 wherein transmitting the first 
authentication message includes transmitting infor- 
mation about the access point contained in a first 
authentication device and wherein transmitting the 
second authentication message includes transmit- 10 
ting information about the wireless device and the 
operator contained in a second authentication 
device. 

10. The method of claim 9 wherein transmitting the first is 
and second authentication messages includes 
establishing a control channel between the access 
point and the authentication server. 
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